We got this from a customer who did a security scan:
A Tomcat Manager login panel was discovered via path normalization.
Normalizing a path involves modifying the string that identifies a
path or file so that it conforms to a valid path on the target
operating system.
QID Detection Logic: This QID sends a HTTP GET request with /..;/
payload and based on the response confirms if the target is
vulnerable.
Remediation notes
Customers are advised to configure the reverse proxy to reject paths
that contain the Tomcat path parameter character ;
This sounds to me like something external to Tomcat, and external to the
box Tomcat is running on. Would that be correct?
--
JHHL
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
